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Abstract — The problem of securing data against eavesdropping 
in distributed storage systems is studied. The focus is on systems 
that use linear codes and implement exact repair to recover 
from node failures. The maximum file size that can be stored 
securely is determined for systems in which all the available 
nodes help in repair (i.e., repair degree d — n — 1, where n is 
the total number of nodes) and for any number of compromised 
nodes. Similar results in the literature are restricted to the case 
of at most two compromised nodes. Moreover, new explicit upper 
bounds are given on the maximum secure file size for systems 
with d < n — 1. The key ingredients for the contribution of 
this paper are new results on subspace intersection for the data 
downloaded during repair. The new bounds imply the interesting 
fact that the maximum data that can be stored securely decreases 
exponentially with the number of compromised nodes. 

I. Introduction 

We study the problem of making distributed storage systems 
(DSS) information-theoretically secure against eavesdropping 
attacks. These systems are witnessing a rapid growth in recent 
years and include data centers and p2p cloud storage systems. 
These systems use data redundancy to achieve data reliability 
and availability in the face of frequent node failures. Three- 
times (3x) data replication has been the industry standard to 
achieve this goal. However, this solution does not scale well 
with the large amounts of data (in the order of petabytes) that 
these systems need to store. For this reason, data centers have 
started utilizing more sophisticated erasure codes on part of 
their data (typically the "cold" data that is not highly accessed) 
to protect against data loss JT], 0. 

Erasure codes can achieve the same reliability levels as 3x 
replication with a much reduced storage overhead. However, 
they result in other system costs consisting of higher repair 
bandwidth, disk reads, computation complexity, etc. Moreover, 
erasure codes present new challenges when trying to secure 
the system. We illustrate this phenomenon with the example 
in Fig. [I] which depicts an (n, k, d) = (4, 2, 2) DSS. The 
parameter n — 4 represents the total number of nodes of unit 
storage capacity each, and fc = 2 is the number of nodes 
contacted by a user to retrieve the stored file. A new node, 
added to the system after a failure, contacts d = 2 other 
nodes to download its data (d is referred to as the repair 
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Fig. 1. An example of how repairing a DSS can compromise the system 
security. The original DSS formed of nodes 1, ... ,4 is secured against a 
single compromised node using a secret sharing scheme or a coset code. 
However, repairing failed nodes can break the security of the system. For 
instance, consider the case when node 1 fails and is replaced by node 5, 
which is already compromised. The eavesdropper can observe all the data 
downloaded by node 5 and therefore decode the stored file F. 

degree). Fig. [T] shows the failure and repair of node 1. Using 
a maximum distance separable (MDS) code, such as a Reed- 
Solomon code, the user can store a file of size 2 units in the 
DSS, which is also the information-theoretically optimal size. 
Now, suppose that we want to protect the system against an 
eavesdropper that can observe at most one node in the DSS 
unknown to us. If the system does not experience failures and 
repairs, then one can store securely a file F of one unit on 
the DSS by "mixing" the information file F with a randomly 
generated unit sized key K using the code depicted in the 
figure. This code can be regarded as a secret sharing scheme 
0, a coset code for the wiretap channel II (4), or as a secure 
network code for the combination network 0, 0. The code 
allows a user contacting any 2 node to decode the file F and 
leaks no information to the eavesdropper. A security violation 
occurs, however, when a node fails and is replaced by a new 
one. The replacement node has to download data from the 
surviving nodes in the system to regenerate the lost data. Now, 
if the new node is already compromised, this will reveal all 
the downloaded data to the eavesdropper. For instance, the 
figure depicts the case when node 1 fails and the coded data 
chunk F + K is lost. The new replacement node downloads 
the two data chunks K and F + 2K to decode the lost packet 



F + K. However, this may reveal these two packets to the 
eavesdropper which can decode the file F. Therefore, even 
if we start with a perfectly secure code, the repair process 
can break the system security and result in data leakage. Our 
goal in this paper is to quantify how much data can be stored 
securely in a storage system even when the system experiences 
failures and repairs. 

We consider systems that implement exact repaifijm which 
the repair process regenerates an exact copy of the lost packet 
(see Fig. fTh. Exact repair is a requirement in many practical 
systems for numerous reasons, such as preserving the system- 
atic form of the data and allowing temporary reconstruction 
of data stored on a "hot" (i.e. highly accessed) node QJ. 
We also focus on linear coding schemes since they are the 
dominant class of codes employed in practice due to their 
ease of implementation. For these systems we are interested in 
quantifying the maximum amount of data that can be stored in 
a DSS with a given storage and repair bandwidth budgets while 
keeping the system perfectly secure. This means that we want 
to guarantee that no information is leaked to an eavesdropper 
that can observe a certain number of nodes in the system. 

Contribution: We find an expression for the maximum 
file size that can be stored securely on a DSS under the linear 
coding and exact repair constraints. Our result holds for any 
number of compromised nodes for a DSS with repair degree 
d = n — 1. Similar results in the literature exist only for 
systems in which at most two nodes can be compromised by an 
eavesdropper. We also give new explicit upper bounds on the 
maximum secure file size for systems with d < n—1. The key 
ingredients for our contribution are new results on subspace 
intersection for the data downloaded during repair. Our bounds 
imply the interesting fact that the maximum secure file size in 
the minimum storage regime decreases exponentially with the 
number of compromised nodes in contrast with for example 
the minimum-bandwidth regime O, |9| or secret sharing 
schemes where it decreases linearly. 

Related work: Dimakis et al. studied in |7j the 
information-theoretic tradeoff between storage overhead and 
repair bandwidth in distributed storage systems. Pawar et al. 
studied the problem of securing distributed storage systems 
under repair dynamics against eavesdroppers and malicious 
adversaries in (8), iflOl , ifTTl . They provided upper bounds 
on the system secure capacity and proved its achiveability in 
the bandwidth-limited regime for repair degree d = n — 1. 
Shah et al. constructed secure codes based on the product- 
matrix framework in |9| and fl2l . These codes can achieve 
the upper bound in [ 10 1 for the minimum-bandwidth regime 
and for any repair degree d. Raw at et al. gave tighter bounds 
on the secrecy capacity of a DSS in the minimum storage 
regime |13| and proved the achieveability of their bound for 
d = n — 1 and for certain system parameters. Dikaliotis et 
al. studied the security of distributed storage systems in the 
presence of a trusted verifier lfl4l . 

1 See f° r 'he other type of repair referred to as functional in the 
literature. 



Organization: The paper is organized as follows. In 
Section III] we describe the system and eavesdropper models 
and set up the notation. In Section III we state our main 



results. We follow these by first providing an intuition behind 
the results in Section|lV]and then the proofs in Section [V] We 
conclude with a summary of our results and open problems in 
Section ED 

II. Problem Setting 
A. System Model 

A distributed storage system consists of n active storage 
units or nodes {1, 2, . . . , n}, each with a storage capacity of 
a symbols belonging to some finite field F. Nodes in a DSS 
are unreliable and fail frequently. When a storage node fails, 
it is replaced by a new node with the same storage capacity 
a. A DSS storing a data file T of M symbols (in F) allows 
any legitimate user called a data collector to retrieve the M 
symbols and reconstruct the original file T by connecting to 
any k out of the n active nodes. We term this the MDS property 
of the DSS. Furthermore, we focus on single node failures 
since they are the most frequent in such systems. A new node 
added to the system to replace a failed one connects to d 
arbitrary nodes chosen out of the remaining n—1 active ones 
and downloads j3 units from each. The repair degree d is a 
system parameter satisfying k < d < n — 1, and the nodes 
aiding in the repair are called helper nodes. The so-called 
repair process usually demands a higher repair bandwidth d/3 
than the amount of data a it actually stores. Moreover, the 
reconstructed data can possibly be different from the original 
data stored in the failed node. We define an (n, fc,<i)-DSS as 
a DSS that uses d nodes for the repair of a failed node to 
continuously maintain the fc-out-of-n MDS property. 

Dimakis et al. |7| showed that there is a fundamental 
tradeoff between the amount of data stored in each node a and 
the minimum repair bandwidth df3 required to store a file in 
the system. We focus on one extremity of this tradeoff, called 
minimum storage, in which each node stores the minimum 
possible a = M/k. An MDS code achieving the minimum 
repair bandwidth for this a, 

is referred to as an optimal bandwidth MDS code or a 
minimum storage regenerating (MSR) code. Furthermore, in 
this paper, we consider the case of exact repair, where the 
replacement node is required to reconstruct an exact copy of 
the lost data. In other words, the DSS consisting of n active 
nodes (and the MSR code) is invariant with time. It has been 
shown that optimal repair bandwidth is achievable for exact 
repair [15|. 

We concentrate on the practical scenario of linear MSR 
codes, which preserve the optimal repair bandwidth of (fTJ. 
Without loss of generality, we can separate the nodes in the 
DSS storing an MDS code into systematic and parity nodes. 
We designate the first k nodes as systematic, where node 
i,i £ [k] := {1,2, ... ,k}, stores the data vector Wi of 



column-length a. The data vector w^+i stored in parity node 

i,i £ [n — k], is given by 






(2) 



where Ai.j £ F aXQ is the coding matrix corresponding to the 
parity node i £ [n — k] and the systematic node j £ [k]. For 
optimal bandwidth repair of a failed systematic node i £ [k], 
all other nodes transmit (3 amount of information, i.e., a helper 
node j 7^ i transmits a vector of length (3 given by Vj^Wj, 
where Vjj £ F' 3xa is the repair matrix used for the repair of 
node i by node j. The vector Vj.iWj can also be interpreted as 
a projection of Wj onto a subspace of dimension f3. We will 
use Vj i, interchangeably, to denote both the matrix and the 
subspace obtained by the span of its rows. 

B. Eavesdropper Model 

We assume the presence of an eavesdropper Eve in the DSS, 
which can passively observe but not modify the contents of 
up to £ < k nodes of its choice. Eve can not only observe 
the data stored in a node i, but also the repair data Vj^Wj 
flowing into its replacement from a helper node j ^ i. In 
other words, not only does Eve have complete knowledge of 
Wi, it can potentially infer a part of Wj as well. In line with 
our assumption of repair of only systematic nodes, we assume 
that Eve can observe the repair data for only a subset of the 
systematic nodea^l £ d , where £ d C [k], and denote the rest 
of the observed nodes (for which it just observes the stored 
data) as £ s , £ s C [n]. The size of these subsets are denoted 
by £\ = \£ s \ and £2 = \£d\, where £1+^2 = £■ Finally, we 
assume that Eve has complete knowledge of the storage and 
repair schemes implemented in the DSS. 



M< s > 



C. Secrecy Capacity 

Let U be a random vector uniformly distributed over F 
representing an incompressible data file with H(U) — M^ s \ 
Let Wi denote the random variable corresponding to the data 
Wi stored in node i, i £ [n]. Let us assume that a set T) of 
d helper nodes aid in the repair of node i. We denote the 
random variable corresponding to the data transmitted by a 
helper node m £ T> for the repair of node i by S l m {T>), and 
the total repair data downloaded by node i by S^. We drop 
the T> in the notation and call these S l m and S % , respectively, 
when the context is clear. 

Thus, Wi represents the data that can be downloaded by a 
data collector when contacting node i and observable by Eve 
when i £ £ s , while S l represents the total data revealed to 
Eve when accessing a node i £ £ d . Notice that the stored data 
Wi is a function of the downloaded data S l . For convenience 
let us denote {Wi : i £ A} by W A , {Sf : j £ A} by Sf, and 
{S i :i£ A} by S A . 

2 Note that for securing the data, we do not store the original file on 
the systematic nodes, but rather the original file data encoded with random 
keys. However, we shall continue to refer to these nodes as systematic for 
convenience. 



The MDS property of the DSS can be written as 

H(U\W A ) = 0, 



(3) 



for all A C [n], such that \A\ = k. To store a file U on the 
DSS perfectly secured from the eavesdropper Eve, we have 
the perfect secrecy condition, 



H(U\W e „S t 



H(U) 



(4) 



for all £ s C [n],£ d C [k]\£ s , and \£ s \ + \£ d \ < k. 

Given an (n, k, d)-DSS with £\ and £2 compromised nodes 
(as described above) its linear coding secrecy capacity C s (a), 
is then defined to be the maximum file size H(U) that can 
be stored in the DSS using an optimal bandwidth MDS code 
for exact repair, such that the reconstruction property and the 
perfect secrecy condition simultaneously hold, i.e., 



C s {a) 



sup 

A,£,,£ d : 
J3},jl|hold 



H(U). 



(5) 



III. Main Results 



In this section, we state our main results. The proofs will 
follow in Section [V] after give a rough idea behind the results 
in Section llV] The following lemma provides a lower bound 
on the sum of subspaceaj associated with the repair bandwidth 
from a particular node, when it aids in the repair of multiple 
nodes. 

Lemma 1: Consider an (n, k, d)-DSS in the systematic 
form with nodes having storage capacity a. Let nodes [k] be 
the systematic nodes and let Vj, j be the f3xa matrix associated 
with the exact repair of node j by node i. Then, for d = n — 1 
and for each i £ [k], we have 



dim 




> 



fc-1 



-k 



ixp 



(6) 



where A C [fc]\{i} and Vij is the subspace corresponding to 
the matrix. 

The next theorem gives an upper bound on the (linear 
coding) secrecy capacity C s (a) for a given number of com- 
promised nodes. 

Theorem 2: Consider an (n, k, d)-DSS with a node storage 
capacity of a, which stores an optimal bandwidth linear 
MDS code for exact repair of systematic nodes. Suppose an 
eavesdropper gains access to the data stored in £\ nodes and 
the data downloaded during the repair of £2 systematic nodes, 
such that 

£ x +£ 2 < k. 

The achievable secure file size M s for the given MSR code 
is then upper bounded by 



M s < (k-ii-k) 1 



1 



d-k + 1 



a. (7) 



3 The sum of subspaces B, C is defined as B+C = {b+c : b £ B,c £ C}. 
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Fig. 2. An (n, k,n— 1)-DSS in which nodes 1, . . . , I have failed and have 
been replaced by the I compromised nodes in red (nodes on the right). Each 
red node is repaired by contacting all of the other d = n — 1 nodes in the 
system. For clarity, we only depict the edges between the red nodes and the 
remaining k — £ non-compromised systematic nodes (in blue, on the left). At a 
high level, the upper bound in Theorem|2]is obtained by evaluating the amount 
of information leaked to the eavesdropper in this scenario. This includes the 
information stored in the red nodes, plus the information contained in their 
downloaded data. The latter can be bounded using Lemma [T] which gives a 
handle on the correlation among all the data downloaded for repair. 

The next theorem establishes that the upper bound in 
Theorem [2] is achievable when d = n — 1. 

Theorem 3: For an (n, fc,d)-DSS with d = n — 1, the 
secrecy capacity for optimal bandwidth MDS codes such that 
any systematic node is exact-repairable using a linear coding, 
is achievable for a — (n — k) and is given by 



C s (a) 



(k-£i-£ 2 ) 1- 



1 



(8) 



Moreover, the capacity is achievable for all {t-x,^)- 

Proof: The proof follows from |[T3l Theorem 10] which 
describes an achievability scheme by precoding a (n, k) zigzag 
code lfl6l using a maximum rank distance code. ■ 

IV. Some Intuition 

Before giving the formal proofs, we present in this section 
some intuition behind the upper bound |7]i on the maximum 
achievable secure file size for a given DSS. We start with a 
simple toy example. How much data can we store securely 
in a system of 2 nodes of storage size a such that a user 
can recover it in the presence of an eavesdropper which has 
access to any one (unknown to us) node? We can quickly 
upper bound the answer by a data units by arguing that if we 
actually knew which node was compromised, we would not 
store any information in that node. In fact, this upper bound 
is achievable by using a random key r of size a and storing it 
on node 1 and storing m + ron node 2, where w is the data. 
In other words, we subtract the amount of information visible 
to the eavesdropper from the total storage size available to the 
user. Then, by exploiting randomness this upper bound can be 
achieve even without knowing the identity of the compromised 
nodes. 

We extend this argument to an (n, k, d)-DSS with nodes of 
storage capacity a and repair bandwidth (3 per helper node. 



We explain our results for the specific case of two parity 
nodes and d = n — 1 for which the optimal repair bandwidth 
/3 = a/2. This means that each helper node sends half of 
its "information" to a replacement node. We also restrict our 
attention to the more-compromised nodes for which Eve can 
observe the repair data, i.e., let £ = £ 2 = \£d\, where £^ C [k]. 
As in the 2-node example, we first try to find an upper bound 
on the maximum secure file size by asking how much would 
we store if we knew that the first £ nodes were compromised, 
or £d = [£]. We do not store any information on these £ nodes. 
We know however that Eve also gains some information about 
the nodes aiding in the repair of the compromised nodes if 
they were to fail. We assume that in a large enough length of 
time, each node fails at least once, and is repaired by the rest 
of the nodes. In particular, Eve has access to the information 
flowing to each of the compromised nodes from each of the 
remaining nodes. Fig. [2] shows the information flows which 
we shall focus on. 

The information observable by Eve about node i, i S 
{^+1, . . . , k}, is obtained by the vectors VijWi communicated 
from node i to each compromised node j E [£]. The total 
knowledge Eve has about node i is therefore equivalent to 
the combined information present in {Vi t jWi}j =1 , or in other 
words, equivalent to the rank of the (3 x £a matrix, 

[V it i I Vi, 2 1 • • • 1 v iti ] . 

If instead, we view Vij to be a subspace spanning the rows 
of the matrix Vij, this rank can also be represented as the 
dimension of the sum of subspaces, 

dimtX,! +Vi, 2 + • • • +Vij) . 

In this paper, we provide explicit bounds for the dimension 
of these sums of subspaces. For two parity nodes, we show 
that an addition of each repair subspace from a node reveals 
half of the information (about the helper node) which was 
unrevealed before the addition. To clarify, all subspaces reveal 
half of the information by design (/3 = a/2). If we add two 
subspaces, because any two of these subspaces, say V^i and 
Vi t 2, cannot intersect in more than a/4 dimensions fTTl . iTHl . 
their sum has to be more than 

a a 

2 + 4 
dimensions. Lemma [T] implies that for £ subspaces, a lower 
bound of 



= 1- 



1 

dimensions has to be revealed by node i in repairing the t 
compromised nodes. 

This calculation thus gives us the amount of information 
visible to Eve, which is £a from the compromised nodes and 



{k-£)[l 



from the (k — £) non-compromised nodes. As in the 2-node 
example, it can be proved that using randomness (maximum 



rank separable codes, |Q~3)), we can securely store a total of 
ka minus the information visible to Eve, i.e., 

data units in the presence of £ compromised nodes. 

V. Proofs 

Proof of Lemma 17} We prove the lemma for the case 
of two parity nodes, i.e., n = k + 2. The proof can easily 
be extended to the case of more than two parity nodes. For 
the corresponding (k, k + 2, d = k + 1)-DSS, as in Section 
|ll] we represent the symbols stored in the nodes [n] by the 
column-vectors wi, . . . ,w n of length a, and assume the first 
k nodes to be systematic. For convenience, we rename the 
coding matrices for parity node 1, Aij,j £ [k] as Aj,j € [k], 
and those for parity node 2, A 2 j,j 6 [k] as Bj,j <G [k]. 

When node j fails, node i transmits the matrix VijWi in 
order to repair node j. When the number of parity nodes is 
2, Vij is an a/2 x a matrix. For notational simplicity, we 
represent the matrices Vk+i,j and Vk+2,j by Sij and S2J for 
all j € [k]. It can be shown that an optimal bandwidth exact 
repair of systematic nodes necessitates interference alignment 
iTTSl and leads to the following subspace conditions (e.g. ifTTl ): 

&i j A} 



S2,jBi, 


(9) 


v id , 


(10) 


¥ a , 


(11) 



SijAj + S 2 ,jBj 

for all j £ [k],i € [fe]\{j'}, and )c denotes an equality 
of subspaces. In other words, the above subspace equalities 
specify the conditions required for the repair of a systematic 
node j by the set of helper nodes [n]\{j}. 

We prove the result stated in the lemma using induction. 
Base case: For \A\ = 1, we have dim (Vij) > a/2, which 
follows from the model constraints on the given DSSn 

Inductive step: Suppose the claim holds for \A\ = m — 1. 
We shall prove that the claim also holds for |.4| = m. Without 
loss of generality, let A = [m] ■ 

For [k] 3 i ^ [m], we have 

dim J2 V ^ = dim J2 S hi A i , (12) 



dim J2 S hi 



vi=l 



dim ^2 s i,jA m , 



(13) 



(14) 



\ 3=1 

(m-l 
y^ SijA m n S 2 , m B ri 
3 = 1 

+ 6im(Si, m A m ), (15) 

4 It can be shown from the MDS property of the storage code that all the 
coding matrices {Ai, Bi},i S [k] have full rank, and from the subspace 
conditions that all the subspaces Vj,j have full rank as well. 



where ( fT2] i follows from (JTOj, ( fT3] l and ( fl4] > follow from 
distributivity and the fact that the matrices Ai and A m are 
invertible, and therefore dim (SA4) — dim (S) = dim (SA m ), 
for any subspace S. For (fl5j, notice that the subspaces 

f m-l \ 

/ SijA m f~l S2,m,B m , 



and Si Jn A m intersect only in the zero vector, see (Hi. 
Furthermore, both are contained in the subspace 




and hence so is their direct sum. 

Using the identity for arbitrary subspaces S a and St, 
that dim (S a + S b ) + dim (S a n S b ) = dim (S a ) + dim (S b ), 
and the fact that the subspaces S2, m B m and Si >m A m have 
dimension a/2 {A m and B m being nonsingular), we obtain 
from ( fT5] l, 



1 m — l 



dim >, Vi,j -^ dim N, ■S'lj-^n 



(16) 



v.' =1 



m—l 



- dim ^2 Si j A m + S 2 , m B n 



j=i 



The third term on the right hand side in inequality ( [T6| > 
equals the term on the left hand side, because 

(m-l 
^ S'ljAn + S 2 , m B n 
3 = 1 

(m-l 
^ Sij^B" 1 + 52,; 
i=l 
(m-l 
2_] 5*2 j + £2,1 



(17) 




where the steps follow from similar reasons as in (12i-(15i 
Also, similarly, 



dim (^ K M I (18) 
3=1 




Using the induction hypothesis and (16i-(18i, we have 



2 dim ( ^ Vi,j > dim ^ V m , 3 
<3=i J \ 3=1 

1 



> 1 



lra-1 



a + a, 



which completes the inductive step. 



For the sake of completeness, we present here the 
information-theoretic proof given in iFPSll which transitions into 
the proof of Theorem 13] via Lemma [T] However, our notation, 
described in Section |nj is inspired by [19|. 

Proof of Theorem H\ Let 1Z be any set of k — l\ — ii 
systematic nodes not in £ 8 or £d- In order to store a file U of 
entropy M^ a ' securely in the DSS, we have 

M {s) = H{U\W £s ,S £d ), 

= H{u\W £s ,S £d )-H{U\W £s ,S £d ,W n ] 
= l(U;W n \W £s ,S £d ), 
H(W n \S £ «), 



< 



< 



Wi 



S £d 



EH 

T,(H(Wi,s; 



E 

ieiz 



H[S, 



?£<i 



(19) 
(20) 
(21) 
(22) 

(23) 
(24) 
(25) 



where ( fl9| ) is the same as Q, pO) follows from Q and the 
fact that W is a function of S l , and (25 1 from the fact that 
S™ is a function of Wi, for any m j^ i. Using the linearity of 
the MDS code being used, we have 



H(S £ *) = diml^^j 



(26) 



where because i € 1Z, we have £ 2 C [fc]\{z}. Thus, we have, 



M (s) < (k-£ 1 -£ 2 )(l- 



(27) 



For d < n — 1, we focus on the first d + 1 nodes, viewing 
it as an (n' = d + 1, fc, d = n' — 1)-DSS. The conditions 
of exact repair for this restricted system form a relaxation of 
the original problem, and thus an upper bound on M^ for 
this system also holds for the latter. By the optimal bandwidth 
condition ([T|, and because exact repair requires interference 
alignment, from Lemma [T| we obtain for i £ [k], 



dim 



E^ 



> 



1- 



d-k 
d-k + 1 



l-AP 



for A C [&]\{i}. Note that our helper set of nodes is V = 
[n']\{i} for repairing node i. We therefore obtain the required 
bound on M^ using a similar set of equations as for d = 
ra - 1. ■ 

VI. Conclusion 

We have studied the problem of securing data in distributed 
storage systems against eavesdropping. Our focus has been 
on systems that implement linear codes and exact repair. We 
have determined the maximum file size that can be stored 
securely in these systems for any number of compromised 
nodes, when the repair degree d = n — 1. For the other cases, 
i.e., when d < n — 1, we have given new upper bounds on 



the amount of secure data that can be stored in the system. 
Many questions remain open, such as constructing codes that 
can achieve our upper bound |7]) for d < n — 1, and finding a 
general expression of the system secrecy capacity without the 
linearity and exactness assumptions. 
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